CVE-2016-5385

HIGH

Oracle Communications User Data Repository < 5.09 - Open Redirect

Title source: rule
STIX 2.1

Description

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.

References (25)

Core 25
Core References
Third Party Advisory vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2016-08/msg00003.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1613.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1611.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1610.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2016/dsa-3631
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/91821
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1609.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1036335
Third Party Advisory x_refsource_misc
https://httpoxy.org/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Broken Link, Third Party Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2016-1612.html
Issue Tracking, Third Party Advisory, VDB Entry x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=1353794
Release Notes, Third Party Advisory x_refsource_confirm
https://github.com/guzzle/guzzle/releases/tag/6.2.1
Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/797896
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201611-22
Third Party Advisory x_refsource_confirm
https://www.drupal.org/SA-CORE-2016-003

Scores

CVSS v3 8.1
EPSS 0.8350
EPSS Percentile 99.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-601
Status published
Products (18)
debian/debian_linux 8.0
drupal/drupal 8.0.0 - 8.1.7
fedoraproject/fedora 23
fedoraproject/fedora 24
hp/storeever_msl6480_tape_library_firmware < 5.09
hp/system_management_homepage < 7.5.5.0
opensuse/leap 42.1
oracle/communications_user_data_repository 10.0.0
oracle/communications_user_data_repository 10.0.1
oracle/communications_user_data_repository 12.0.0
... and 8 more
Published Jul 19, 2016
Tracked Since Feb 18, 2026